ACS4.2, NX-OS and Cisco AV-Pair Question

Answered Question
Apr 19th, 2010
User Badges:

Hi,


I have some Nexus switches deployed in my network.  They are authenticating user access via TACACS/ACS (4.2).  I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability.  Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :


shell:roles=“network-operator vdc-admin”



Can anyone help me to understand specifically how to get this configured.  I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured.  I have been through the ACS admin guide but its not clear to me.


Many Thanks


RK

Correct Answer by Javier Henderson about 6 years 11 months ago

You can configure this attribute per user or per group.


First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".


Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.


Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.


ie:


shell:roles*"network-admin"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Correct Answer
Javier Henderson Mon, 04/19/2010 - 09:32
User Badges:
  • Cisco Employee,

You can configure this attribute per user or per group.


First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".


Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.


Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.


ie:


shell:roles*"network-admin"

rkoudmani Tue, 04/20/2010 - 03:32
User Badges:

Hi Javier,


That worked perfectly.


Thanks very much


RK

patrickkehl Mon, 04/26/2010 - 23:44
User Badges:

Hi Javier


I've the same problem. I configured everything as you recommended in your posting, but i still end up in the deault role "network-operator"


ACS 4.2 Configuration:

user config

shell exec (enabled)

shell:roles*"network-admin"


After Login - the output of the command "show user-account" says:


user:ude3964
        roles:network-operator
account created through REMOTE authentication



AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request


rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3
tacacs-server host 172.28.193.34 key 7 "wg$yscmfv1"
tacacs-server host 172.28.193.35 key 7 "wg$yscmfv1"
aaa group server tacacs+ tacacs
    server 172.28.193.35
    source-interface Vlan501


In the debug aaa all - there is not much to see. NX-OS in this case is not as good as IOS.

In the ACS passed Authentication Report everything looks fine.


Do you have any idea how to go further?

Cheers

Patrick

fwim Thu, 06/10/2010 - 06:15
User Badges:

We are using both IOS en NX-OS switches.  The av-pair  used for  IOS = shell:priv-lvl-15 and for NX-OS shell:role*"network-admin"   After configuring ;


" cisco av-pair = shell:priv-lvl-15 shell:role*"network-admin"  "  I can login on de IOS switch in enable mode en only network-operator mode on the NX-OS.


After configuring;  "cisco av-pair =shell:role*"network-admin" shell:priv-lvl-15 "  only NX-OS as network-admin  and IOS in exec mode


Do you have any idea how to configure the correct config for av-pair for NX-OS and IOS switches

Javier Henderson Thu, 06/10/2010 - 06:24
User Badges:
  • Cisco Employee,

Can you capture the traffic between the TACACS+ server and the switches and post it here, so we can see what is actually being sent?


You will want to capture both instances, ie, when NX-OS works right and when IOS works right.

Elly Bornstein Fri, 06/11/2010 - 11:21
User Badges:
  • Cisco Employee,

Try removing:


aaa authorization config-commands default group tacacs
aaa  authorization commands default group tacacs


I believe with Nexus you can only do rbac OR command authorization not both.

Nicholas Poole Thu, 11/18/2010 - 05:50
User Badges:

Does anybody know if this can be done in ACS 5.1 as I am looking for TACACS+ VSA options to do this, but all I can find is RADIUS VSA options to be configured?

Javier Henderson Thu, 11/18/2010 - 05:55
User Badges:
  • Cisco Employee,

You can send custom AV pairs with ACS 5.1, by creating a custom shell profile under policy elements, then you would tie this shell profile to an authorization policy.

Actions

This Discussion

Related Content